Wireshark v3 (Part 2 of 2)

In the last part of this two-part blog on Wireshark v3, we covered the following topics:

  • Translations

  • Npcap (No More WinPcap)

  • UDP Conversation Timestamping

  • Tshark and ElasticSearch

  • Capture Information is Back

  • Checksum Validation Disabling

  • String() Display Filter Function

  • DHCP and TLS

Let’s look at a few more features that have been updated or added to Wireshark v3.

If you aren’t one of my “In Laura’s Lab” Newsletter subscribers, please visit sign up so I can let you know when new blogs, videos, training classes, books, and challenges are released. Many things are changing in 2019 and I am thrilled to be able to return to projects that allow me to share my passion of analysis with all of you!

As I mentioned in Part 1, Wireshark v3 offers some significant and exciting changes that I think the Wireshark community will appreciate. Let’s go! Here is the second set of updated/new features in Wireshark v3!

  • Dumpcap packet enhancement

  • “No Reassembly” profile

  • Out-of-order segment reassembly TCP preference

  • Custom window title

  • Decryption Secrets Block (DSB) - embed a session key in a trace file

Remember, sign up for the Newsletter to receive notices when new blogs are released.

Dumpcap Packet Enhancement

Dumpcap now supports the -a packets:NUM and -b packets:NUM options.

The -a parameter defines an autostop condition. The -b parameter calls the ring buffer feature.

Although Dumpcap has always supported the -a and -b parameters, it didn’t support the packets option. Previously, you could only define autostop or ring buffer conditions based on duration, file size, or number of files.

The following Dumpcap command uses the new parameter options:

dumpcap -i3 -a packets:300 -b packets:100 -w 100pktsets.pcapng

This command implements the following settings:

-i3 capture on interface number 3

-a packets:300 stop after capturing a total of 300 packets

-b packets:100 capture 100 packets per file in a file set

-w 100pktsets.pcapng write to a file set that begins with 100pktsets

Before the release of Wireshark v3, you would need to use Tshark for these capabilities. Remember that Tshark actually calls Dumpcap to perform the capture process. If you don’t need any of the other features that are unique to Tshark, you can use Dumpcap.

“No Reassembly” Profile

Wireshark now includes a “No Reassembly” configuration profile. If you’ve ever seen me teach Wireshark classes, you know that I spend a fair amount of time talking about the difference in analyzing traffic with TCP reassembly on and off. Wireshark enables TCP reassembly by default. For example, when you download a file from a web server, if that file is too large to fit in a single TCP packet, Wireshark will reassemble all the packets of the file and place the reassembled contents on the last packet of the file download set.

Unfortunately, Wireshark will also set application response times based on that last packet, rather than the first response packet from the server. To measure the response time, I must turn off TCP reassembly.

Out-of-order segment reassembly TCP Preference

The TCP dissector gained a new Reassemble out-of-order segments preference to fix dissection, decryption, and object export issues when TCP segments are received out-of-order.

Let’s take a look at an example. In the http-espn-b.pcapng trace file (available at https://www.chappell-university.com/traces), the Expert Information window indicates there are four out-of-order packet is the trace file. Two packets are SYN/ACK packets and two packets are HTTP 200 OK packets. This new feature won’t do anything for our SYN/ACK packets, but it will enable us to reassemble the objects downloaded after the HTTP 200 OK packets.

Out-of-order segment reassembly TCP Preference=Off

When this setting is disabled (the default setting), out-of-order packets prevent Wireshark from reassembling objects for export.

Out-of-order segment reassembly TCP Preference=On

When this setting is enabled, packets are automatically reassembled so that you can export the objects.

In the example below, you can see how this preference setting affects the File | Export objects function.

This setting should be enabled if you are using TCP reassembly with the Allow subdissector to reassemble TCP streams preference setting.

Custom Window Title

The custom window title can now show the file path of the capture file, the current profile name, and version number. To set a new window title, select Edit | Preferences | Advanced and search for “window title”. The preference setting you are looking for is called gui.window_title.

%F = file path of the capture file

%P = profile name

%S = conditional separator (“-”) that only shows when surrounded by variables with values or static text

%V = version information

See the example below:

This may seem like a minor addition to Wireshark, but recently my editor, Jim Aragon, was working with multiple trace files I had sent him over time which (strangely) had the same file name, but contained a different number of packets. Jim saved each file into a separate directory and, by customizing the window title, he could easily tell which file he was working on. It’s a nice feature to have when you need it.

Embed a Session Key in a Trace File

As you may already know, you can decrypt a trace file containing encrypted communications if you have the RSA key used by the server in the trace file. By adding the RSA key in Edit | Preferences | RSA Keys, as shown in the following image.